Vault Configuration with PostgreSQL DB
- Gaurav (Unlicensed)
Vault Configuration with PostgreSQL DB
To configure vault with storage as “PostgreSQL ” and search engine as “database” do the following configuration.
Create new Database in vault name as “insightsvault” in PostgreSQL
Add following date table inside new database
CREATE TABLE vault_kv_store (
parent_path TEXT COLLATE "C" NOT NULL,
path TEXT COLLATE "C",
key TEXT COLLATE "C",
value BYTEA,
CONSTRAINT pkey PRIMARY KEY (path, key)
);
CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
CREATE TABLE vault_ha_locks (
ha_key TEXT COLLATE "C" NOT NULL,
ha_identity TEXT COLLATE "C" NOT NULL,
ha_value TEXT COLLATE "C",
valid_until TIMESTAMP WITH TIME ZONE NOT NULL,
CONSTRAINT ha_key PRIMARY KEY (ha_key)
);Create new vault_config.hcl add following configuration in it
storage "postgresql" {
connection_url = "postgresql://grafana:grafana@localhost:5432/insightsvault?sslmode=disable"
}
ui = true
log_level="trace"
plugin_directory="C:\\Insights\\vault_1.5.5_windows_amd64\\plugins"
listener "tcp" {
address = "10.10.90.42:8200"
tls_disable = 1
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://10.10.90.42:8201"
raw_storage_endpoint=trueCreate one plugins directory inside vault and mention “plugin_directory” path inside vault_config.hcl
Download latest plugin from https://github.com/hashicorp/vault/tree/master/plugins/database/postgresql and store \ postgresql-database-plugin folder inside plugin_directory path
Run following command from command prompt to install plugin in vault
vault plugin register -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 auth postgresql-database-pluginEnable database Secrets Engine plugins:
Default path is “database” If you want to change path then run following command
Configure Vault with the proper plugin and connection information
Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential, make sure that your db_name and database/config/<name> will be same
Call following POST API store data
http://<host>:<port>/v1/sys/raw/<secret Engine from server config>/<clientId>/ serverConfig
Ex: http://10.10.90.42:8200/v1/sys/raw/database/local/serverConfig
This API need two header X-Vault-Token and host, X-Vault-Token is root token
Call following GET API to fetch data from vault
http://<host>:<port>/v1/sys/raw/<secret Engine from server config>/<clientId>/ serverConfig
Ex: http://10.10.90.42:8200/v1/sys/raw/database/local/serverConfig
This API need two header X-Vault-Token and host, X-Vault-Token is root token
Create new user name and password to login to vault API rather than using root token.
Unsealed vault and check storage Engine.
©2021 Cognizant, all rights reserved. US Patent 10,410,152